[Certificat] Mise en place d’un certificat Let’s Encrypt pour Zimbra 8.8.9 - iZero

Mise en place d’un certificat Let’s Encrypt pour Zimbra 8.8.9

Article original Publié le : 11 août 2018

Mise a jour le : 30 novembre 2019

Suite a la mise a jour de mon serveur et au renouvellement du certificat, je mets a jour la procédure moins confuse que la précédente.

/!\ Petit rappel, pour générer un certificat avec Let’s Encrypt, il faut que le port 443 soit ouvert et non utilisé.

Se connecter en user zimbra puis stopper le service proxy

# su - zimbra

1	# su - zimbra

$ zmproxyctl stop

1	$ zmproxyctl stop

Revenir sur son user ou root puis générer le certificat

# ./opt/letsencrypt/letsencrypt-auto certonly --standalone -d nom_du_serveur_mail

1	# ./opt/letsencrypt/letsencrypt-auto certonly --standalone -d nom_du_serveur_mail

Pour validation, cela renverra

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nom_du_serveur_mail/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nom_du_serveur_mail/privkey.pem
Your cert will expire on 2018-11-09. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/nom_du_serveur_mail/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/nom_du_serveur_mail/privkey.pem

Your cert will expire on 2018-11-09. To obtain a new or tweaked

version of this certificate in the future, simply run

letsencrypt-auto again. To non-interactively renew *all* of your

certificates, run "letsencrypt-auto renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

Créer le root-ca

# vim /tmp/root-ca.pem

1	# vim /tmp/root-ca.pem

-----BEGIN CERTIFICATE-----

MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

-----END CERTIFICATE-----

Copier les fichiers générés par Let’s Encrypt dans /tmp, puis créer la chaîne de certification.

# cp /etc/letsencrypt/live/nom_du_serveur_mail/* /tmp

1	# cp /etc/letsencrypt/live/nom_du_serveur_mail/* /tmp

# cd /tmp

# cd /tmp

# cat chain.pem root-ca.pem > chain-root-ca.pem

1	# cat chain.pem root-ca.pem > chain-root-ca.pem

Sauvegarder le précédent certificat, renommer les fichiers,copier le nouveau certificat et mettre les droits.

# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

1	# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

# mv cert.pem commercial.crt

1	# mv cert.pem commercial.crt

# mv chain-root-ca.pem chain.txt

1	# mv chain-root-ca.pem chain.txt

# cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

1	# cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

# chown zimbra.zimbra /tmp/*.crt

1	# chown zimbra.zimbra /tmp/*.crt

# chmod 666 /tmp/*.crt

1	# chmod 666 /tmp/*.crt

Puis se reconnecter avec le user Zimbra et finaliser le déploiement du certificat et redémarrer les services.

$ su - zimbra

1	$ su - zimbra

$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt

1	$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt

$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt

1	$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt

$ zmcontrol restart

1	$ zmcontrol restart

Pour vérifier le certificat

# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

1	# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

SubjectAltName=nom_du_serveur_mail - imapd: /opt/zimbra/conf/imapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 

SubjectAltName=nom_du_serveur_mail - ldap: /opt/zimbra/conf/slapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 SubjectAltName=nom_du_serveur_mail - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 SubjectAltName=nom_du_serveur_mail - mta: /opt/zimbra/conf/smtpd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 SubjectAltName=nom_du_serveur_mail - proxy: /opt/zimbra/conf/nginx.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

SubjectAltName=nom_du_serveur_mail - imapd: /opt/zimbra/conf/imapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

SubjectAltName=nom_du_serveur_mail - ldap: /opt/zimbra/conf/slapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

SubjectAltName=nom_du_serveur_mail - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

SubjectAltName=nom_du_serveur_mail - mta: /opt/zimbra/conf/smtpd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

SubjectAltName=nom_du_serveur_mail - proxy: /opt/zimbra/conf/nginx.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

22/06/2019 : Ajout d’un petit script qui regroupe toute les commandes.
Pré-requis: Avoir le root-ca en local et verifier le chemin du repertoire let’s encrypt.

# ./renew_cert_zimbra.sh

1	# ./renew_cert_zimbra.sh

#!/bin/bash
su zimbra /opt/zimbra/bin/zmproxyctl stop

/opt/letsencrypt/certbot-auto certonly
cp /root/root-ca.pem /tmp
cp /etc/letsencrypt/live/server-mail.domaine.tld/* /tmp
cd /tmp
cat chain.pem root-ca.pem > chain-root-ca.pem
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
mv cert.pem commercial.crt
mv chain-root-ca.pem chain.txt
cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt

su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt"
su - zimbra -c "/opt/zimbra/bin/zmcontrol restart"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr viewdeployedcrt"

echo ""
echo "Verification de la date du certificat"
echo ""
echo | openssl s_client -servername server-mail.domaine.tld -connect server-mail.domaine.tld:443 2>/dev/null | openssl x509 -noout -dates

#!/bin/bash

su zimbra /opt/zimbra/bin/zmproxyctl stop

/opt/letsencrypt/certbot-auto certonly

cp /root/root-ca.pem /tmp

cp /etc/letsencrypt/live/server-mail.domaine.tld/* /tmp

cd /tmp

cat chain.pem root-ca.pem > chain-root-ca.pem

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

mv cert.pem commercial.crt

mv chain-root-ca.pem chain.txt

cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

chown zimbra.zimbra /tmp/*.crt

chmod 666 /tmp/*.crt

su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt"

su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt"

su - zimbra -c "/opt/zimbra/bin/zmcontrol restart"

su - zimbra -c "/opt/zimbra/bin/zmcertmgr viewdeployedcrt"

echo ""

echo "Verification de la date du certificat"

echo ""

echo | openssl s_client -servername server-mail.domaine.tld -connect server-mail.domaine.tld:443 2>/dev/null | openssl x509 -noout -dates

A l’execution:

Stopping proxy...done.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/server-mail.domaine.tld.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/server-mail.domaine.tld/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/server-mail.domaine.tld/privkey.pem
   Your cert will expire on 2019-09-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'
Valid certificate chain: /tmp/commercial.crt: OK
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'
Valid certificate chain: /tmp/commercial.crt: OK
** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer server-mail.domaine.tld...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer server-mail.domaine.tld...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/c1d601f8.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'c1d601f8.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Host server-mail.domaine.tld
        Stopping zmconfigd...Done.
        Stopping imapd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...Done.
Host server-mail.domaine.tld
        Starting ldap...Done.
        Starting zmconfigd...Done.
        Starting dnscache...Done.
        Starting logger...Done.
        Starting mailbox...Done.
        Starting memcached...Done.
        Starting proxy...Done.
        Starting amavis...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting opendkim...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
        Starting service webapp...Done.
        Starting zimbra webapp...Done.
        Starting zimbraAdmin webapp...Done.
        Starting zimlet webapp...Done.
        Starting imapd...Done.
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld

Verification de la date du certificat

notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

Stopping proxy...done.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/server-mail.domaine.tld.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Keep the existing certificate for now

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/server-mail.domaine.tld/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/server-mail.domaine.tld/privkey.pem

Your cert will expire on 2019-09-19. To obtain a new or tweaked

version of this certificate in the future, simply run certbot-auto

again. To non-interactively renew *all* of your certificates, run

"certbot-auto renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'

Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.

** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'

Valid certificate chain: /tmp/commercial.crt: OK

** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'

Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.

** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'

Valid certificate chain: /tmp/commercial.crt: OK

** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'

** Copying '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'

** Appending ca chain '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'

** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

** NOTE: restart mailboxd to use the imported certificate.

** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer server-mail.domaine.tld...ok

** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer server-mail.domaine.tld...ok

** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'

** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'

** Creating keystore '/opt/zimbra/conf/imapd.keystore'

** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'

** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'

** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'

** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'

** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'

** NOTE: restart services to use the new certificates.

** Cleaning up 7 files from '/opt/zimbra/conf/ca'

** Removing /opt/zimbra/conf/ca/ca.key

** Removing /opt/zimbra/conf/ca/ca.pem

** Removing /opt/zimbra/conf/ca/c1d601f8.0

** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt

** Removing /opt/zimbra/conf/ca/4f06f81d.0

** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt

** Removing /opt/zimbra/conf/ca/2e5ac55d.0

** Copying CA to /opt/zimbra/conf/ca

** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'

** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'

** Creating CA hash symlink 'c1d601f8.0' -> 'ca.pem'

** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt

** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'

** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt

** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'

Host server-mail.domaine.tld

Stopping zmconfigd...Done.

Stopping imapd...Done.

Stopping zimlet webapp...Done.

Stopping zimbraAdmin webapp...Done.

Stopping zimbra webapp...Done.

Stopping service webapp...Done.

Stopping stats...Done.

Stopping mta...Done.

Stopping spell...Done.

Stopping snmp...Done.

Stopping cbpolicyd...Done.

Stopping archiving...Done.

Stopping opendkim...Done.

Stopping amavis...Done.

Stopping antivirus...Done.

Stopping antispam...Done.

Stopping proxy...Done.

Stopping memcached...Done.

Stopping mailbox...Done.

Stopping logger...Done.

Stopping dnscache...Done.

Stopping ldap...Done.

Host server-mail.domaine.tld

Starting ldap...Done.

Starting zmconfigd...Done.

Starting dnscache...Done.

Starting logger...Done.

Starting mailbox...Done.

Starting memcached...Done.

Starting proxy...Done.

Starting amavis...Done.

Starting antispam...Done.

Starting antivirus...Done.

Starting opendkim...Done.

Starting snmp...Done.

Starting spell...Done.

Starting mta...Done.

Starting stats...Done.

Starting service webapp...Done.

Starting zimbra webapp...Done.

Starting zimbraAdmin webapp...Done.

Starting zimlet webapp...Done.

Starting imapd...Done.

- imapd: /opt/zimbra/conf/imapd.crt

notBefore=Jun 21 20:56:08 2019 GMT